Re: In-kernel Authentication Tokens (PAGs)

[Chris Wright]

* Kyle Moffett (mrmacman_g4@xxxxxxx) wrote:
> On Jun 11, 2004, at 23:15, Chris Wright wrote:
> > Hrm.  Wouldn't it be possible that two processes with same uid have
> > authenticated in different domains, and as such shouldn't be allowed to
> > touch each other's PAGs?  Or is this not allowed?
> 
> Linux doesn't really support the idea that a process should not be able 
> to
> affect another process in the same UID.  There's too many things that

Actually that's not the case.  The UID is currently insufficient to
describe the security domain that a process is running in.  The whole
of the LSM infrastructure is designed with this in mind.  So somehting
like SELinux may enforce a security domain change (w/out a UID change)
across an execve() of pagsh.  I was simply trying to ascertain if you
were storing this within task->user which I think would be wrong.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/